The bi-annual survey of healthcare providers shows a steady rise in data breaches over the last six years, despite increasingly stringent regulatory requirements surrounding reporting and auditing procedures and heightened levels of compliance.
“We are seeing healthcare providers nationwide prioritize compliance over security, which potentially puts patient data risk”, Brian Lapidus, senior vice president at Kroll Advisory Solutions, told Infosecurity.
In addition, the survey of 250 healthcare providers found that human error remains the greatest threat to healthcare data security. A full 79% of respondents reported that a security breach was perpetrated by an employee; 56% indicated that the source of a reported breach was unauthorized access to information by an individual employed by the organization at the time of the breach; and 45% indicated that lack of staff attention to policy puts data at risk.
“Employees were cited as the number source of a breach organizationally”, Lapidus observed.
The mobility of patient data is a leading factor in healthcare data breaches, the survey found. Close to one-third of respondents said that information available on a portable device was among the factors most likely to cause a breach (up from 20% in 2010, and only 4% in 2008).
“Both the mobility of the patient data, which is made possible by new technologies such as smartphones, and the proliferation of those devices are key factors in healthcare security breaches”, Lapidus noted.
The industry’s expectations of third-party data security practices are not keeping pace with the increased outsourcing of patient data, and, as a result, third-party breaches are on the rise, the study found; 18% of respondents who experienced a breach in the past 12 months cited third parties as the root cause.
In addition, 28% of respondents indicated that sharing information with external parties is the top item that puts patient data at risk (up from 18% in 2010, and 6% in 2008); half of respondents noted that they required proof of employee training and background checks from third parties; and 56% of respondents indicated they verify that their third party vendors conduct a periodic risk analysis to identify security risks and vulnerabilities.
The survey also found that there was “organizational confusion about who is responsible for data security” at healthcare organizations, Lapidus related. “There is a lack of clarity about who owns what, when, and why.”